I2NSF Working Group | R. Kumar |
Internet-Draft | A. Lohiya |
Intended status: Informational | Juniper Networks |
Expires: February 4, 2017 | D. Qi |
Bloomberg | |
X. Long | |
August 3, 2016 |
Security Controller: Use Case Summary
draft-kumar-i2nsf-controller-use-cases-00
This document provides use cases for the I2NSF security controller. The use cases described here are from a wide varierty of deployment scenarios in multipe market segments. The use cases would help in developing a comprehensive set of client interfaces.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 4, 2017.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
In order to define and build client interfaces for the I2NSF security controller, we must understand the security industry landscape from the user's perspective and determine where I2NSF work could potentially be valuable. The use cases would help I2NSF to develop the client interface framework applicable to wide variety of deployment scenarios. Basically, without a set of use cases, it is hard to know whether the client interfaces, developed by I2NSF WG, actually meet the targeted industry requirements.
This draft makes an attempt in categorizing the security users into various market segments and providing a list of common use cases in each market segment. This is by no means a complete list, but an attempt to list the most common use cases.
There is a need for security solutions in almost every market segment, but the use cases vary based on the requirements in that segment. It would not be feasible to look at every industry and list all the use cases. Instead, we categorize the industry into various groups or domains with each group having similar use cases.
The service providers need a large network presence to provide connectivity services to their clients and usually divide the large network into multiple domains or zones. We consider two such segments for security use cases.
Access: This part of the network usually deals with basic connectivity, but lately this is undergoing rapid changes and services are being deployed for various use cases. There is a new working group ETSI MEC in this space.
Core: This is where a service provider deploys 3G, 4G and other managed services. The SP's data center hosts various applications to deliver these services.
The Enterprise network varies based on the organization's size and needs. We consider the following segments for use cases.
Branch: An organization's remote location that hosts workers, some applications and data for efficiency reasons.
Campus: An organization's regional or corporate headquarters where workers and applications are hosted. A small or medium Enterprise may have just one location where all workers and applications are hosted.
Data Center: The large Enterprise may have multiple hosting places for their applications and data.
The primary use cases for a cloud service provider are related to managed security services and security needs for deploying applications in the public cloud.
Data Center: The Cloud Service Provider may have one or more locations to deliver all its services.
This includes residential and enterprise users with different requirements.
The SP provides these as managed security services which may be bundled in the subscription or separately sold
These services can be broadly categorized as the following:
Parental Control:
Content Management:
External Threat Management:
The Enterprises are rapidly moving to the cloud. This comes with more services consumed from the cloud instead of being deployed at their premise. The reason for this is to cut costs and avoid constant HW/SW upgrades.
The managed security services for Enterprise can be broken into two broad categories:
External Threat Management:
An Enterprise might subscribe to one of the following services.
Lateral Threat Management:
An Enterprise might subscribe to one of the following services in addition to connectivity services such as VPN.
The SPs selling the security services must also protect their own infrastructure to ensure that there is no disruption to their customers.
Threat Management:
Robust Service Delivery:
Gi FW: The set of security features needed to protect the SP's mobile infrastructure and mobile user handset.
GiLAN Services: The set of security services configured for mobile users.
MEC Service Delivery: The set of security features needed to deliver MEC services
The Enterprise Branch and Campus security use cases are simple and usually related to threat management from Web. These are categorized as following:
Threat Management:
Access and Data Management:
The Enterprise landscape is evolving rapidly due to virtualization and the move towards cloud based XaaS consumption models. The data centers are now built with mutli-vendor devices, in physical and virtual form factors. This creates a problem for data center operators as the attack vectors multiply.
The cloud data centers have more dimensions such as a large presence and multi-tenant environment, but must still deliver services in a secure manner. The use cases in this category are fairly large and diverse, so we are listing the most common ones below:
Threat Management: Same as above
Regulatory and Compliance:
This document requires no IANA actions. RFC Editor: Please remove this section before publication.
[I-D.ietf-i2nsf-problem-and-use-cases] | Hares, S., Dunbar, L., Lopez, D., Zarny, M. and C. Jacquenet, "I2NSF Problem Statement and Use cases", Internet-Draft draft-ietf-i2nsf-problem-and-use-cases-01, July 2016. |